[13663] in bugtraq
Re: Req. Clarification on Stacheldraht Analysis (fwd)
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Wed Feb 2 15:27:03 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GUL.4.21.0002011538250.16820-100000@red1.cac.washington.edu>
Date: Tue, 1 Feb 2000 15:42:01 -0800
Reply-To: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
From: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> ... your analysis seems to contradict a comment appearing in your GAG
> application.
>
> The comment indicates that GAG is a detection tool which searches for
> Stacheldraht agents. Specifically it states:
>
> "Send an ICMP_ECHOREPLY packet with ID of 668 to a stacheldraht agent,
> causing it to reply to the sending host with an ICMP_ECHOREPLY packet with
> an ID of 669 and the string 'sicken\n'"
Checking the source, the agent (leaf/td.c) is the one that sends the
packet with ID=669 and data="sicken\n". The ID_TEST macro is not used
in the handler (mserv.c) code, but is used in a case statement in
the agent, so the gag (and dds) program comments are correct.
$ grep 669 leaf/*.c
leaf/td.c: send_connect(ipi->ip_src.s_addr,669,"sicken\n");
$ grep 668 config.h
#define ID_TEST 668 /* test of the master server */
$ grep ID_TEST mserv.c
$ grep ID_TEST leaf/*.c
leaf/td.c: case ID_TEST:
> However, the analysis says 668 packets are sent FROM an agent TO a handler.
> If that's true, it seems that GAG is in fact searching for handlers not
> agents (or the analysis is incorrect). In fact, the analysis indicates 3
> cases in which the agent is the one initiating communication with the
> handler, who in turn replies with the appropriate response.
You are correct. I made a mistake in the analysis in one place.
The paragraph should (and now does) read:
There is also a code in the agent to perform an ID test, sending an
ICMP_ECHOREPLY packet with an ID field value of 669, and the string
"sicken\n" in the data field. This code is triggered if the agent
is sent an ICMP_ECHOREPLY packet with an ID field containing the value
668. The program "gag" (see Appendix A) will allow you to probe for
stacheldraht agents, which will show up with "ngrep" like this:
The other packet exchange ("skillz"/"ficken") should be able to detect
handlers, but I haven't added that to dds yet.
Thanks to Jason Barlow for pointing this out.
--
Dave Dittrich Client Services
dittrich@cac.washington.edu Computing & Communications
University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]</a>
PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
